Closed Bug 1653642 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::net::CallOnStop::~CallOnStop]

Categories

(Core :: Networking: WebSockets, defect, P1)

Product:
Core
Component:
Networking: WebSockets
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- unaffected
firefox80 --- fixed

People

(Reporter: u608768, Assigned: kershaw)

References

Details

(Keywords: crash, Whiteboard: [necko-triaged])

Crash Data

Attachments

(1 obsolete file)

This bug is for crash report bp-61a11c5f-92cc-4df1-bba3-647150200717.

Top 10 frames of crashing thread:

0 libxul.so mozilla::net::CallOnStop::~CallOnStop netwerk/protocol/websocket/WebSocketChannel.cpp:593
1 libxul.so mozilla::net::CallOnStop::~CallOnStop netwerk/protocol/websocket/WebSocketChannel.cpp:593
2 libxul.so mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal xpcom/string/nsSubstring.cpp
3 libxul.so mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal xpcom/threads/nsThreadUtils.h:577
4 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1234
5 libxul.so nsThread::Shutdown xpcom/threads/nsThread.cpp:898
6 libxul.so mozilla::net::nsSocketTransportService::ShutdownThread netwerk/base/nsSocketTransportService2.cpp:853
7 libxul.so mozilla::net::nsIOService::SetOffline netwerk/base/nsIOService.cpp:1314
8 libxul.so mozilla::net::nsIOService::Observe netwerk/base/nsIOService.cpp:1601
9 libxul.so non-virtual thunk to mozilla::net::nsIOService::Observe netwerk/base/nsIOService.cpp

Started in build 20200716212737. Regression window: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c8e9ecbc6236ea4cf1aa5063f20583e1f574f2b9&tochange=a35461d1fc07e6e855d064453363a46d32bb5a3d

kershaw, could this have been bug 1497249.

Flags: needinfo?(kershaw)
Crash Signature: [@ mozilla::net::CallOnStop::~CallOnStop] → [@ mozilla::net::CallOnStop::~CallOnStop] [@ mozilla::net::CallOnStop::Run ]
Assignee: nobody → kershaw
Severity: -- → S2
Flags: needinfo?(kershaw)
Priority: -- → P1
Whiteboard: [necko-triaged]

Based on this report, It seems that the WebSocketChannel is already released. Since the channel is stored by a strong pointer in CallOnStop, the address should be already invalid when constructing CallOnStop. I think this should be caused by releasing the channel when nsWebSocketConnection::Close() is called here.

(In reply to Kershaw Chang [:kershaw] from comment #1)

the address should be already invalid when constructing CallOnStop.

But what scenario could lead to calling WebSocketChannel::DoStopSession() on a freed object? I would expect there is somewhere a strong reference on the callstack...

Flags: needinfo?(kershaw)

(In reply to Michal Novotny [:michal] from comment #3)

(In reply to Kershaw Chang [:kershaw] from comment #1)

the address should be already invalid when constructing CallOnStop.

But what scenario could lead to calling WebSocketChannel::DoStopSession() on a freed object? I would expect there is somewhere a strong reference on the callstack...

I think (In reply to Michal Novotny [:michal] from comment #3)

(In reply to Kershaw Chang [:kershaw] from comment #1)

the address should be already invalid when constructing CallOnStop.

But what scenario could lead to calling WebSocketChannel::DoStopSession() on a freed object? I would expect there is somewhere a strong reference on the callstack...

I think this happens when WebSocketChannel::CleanupConnection() is called inside WebSocketChannel::DoStopSession(). Could be here. I assume at this point, the only strong reference that holds WebSocketChannel is the mConnection. And then, nsWebSocketConnection::Close() is called and the channel is released at here. At the end, an invalid address is passed to CallOnStop's constructor.

Flags: needinfo?(kershaw)
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1ab7f1314221
Don't release WebSocketChannel in nsWebSocketConnection::Close, r=michal,necko-reviewers
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1c9946becbca
Don't release WebSocketChannel in nsWebSocketConnection::Close, r=michal,necko-reviewers
Crash Signature: [@ mozilla::net::CallOnStop::~CallOnStop] [@ mozilla::net::CallOnStop::Run ] → [@ mozilla::net::CallOnStop::~CallOnStop] [@ mozilla::net::CallOnStop::Run ] [@ mozilla::net::WebSocketChannel::DoStopSession]

https://hg.mozilla.org/mozilla-central/rev/1c9946becbca

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox80: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

Backed out 3 changesets (bug 1653642, bug 1497249) for causing Bug 1654282.
Backed out changeset 1c9946becbca.
Link: https://hg.mozilla.org/integration/autoland/rev/d72591a16d42a6cefcffe3df901fa9d0db440193

Status: RESOLVED → REOPENED
Crash Signature: [@ mozilla::net::CallOnStop::~CallOnStop] [@ mozilla::net::CallOnStop::Run ] [@ mozilla::net::WebSocketChannel::DoStopSession] → [@ mozilla::net::CallOnStop::~CallOnStop] [@ mozilla::net::CallOnStop::Run ] [@ mozilla::net::WebSocketChannel::DoStopSession]
status-firefox80: fixedaffected
Resolution: FIXED → ---
Target Milestone: mozilla80 → ---

This should be fixed by backing out bug 1497249.

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → FIXED
Attachment #9164648 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: